- Professional News
- 15 December 2011
The Danish Executive Order on Cookies has come into force
The Danish Executive Order on Cookies has now been published and came into force on 14 December 2011.
The Order implies that providers of for example websites must provide various information and obtain consent to save information or obtain access to information saved in a user's so-called "data terminal equipment". Data terminal equipment means for example computers, smartphones and tablets as well as external media, such as USB keys, CDs, DVDs, hard disks, etc.
Natural and legal persons are subject to such obligation irrespective of whether they are private persons, persons engaging in commerce or industry or public entities.
All types of information saved or to which access is obtained are subject to these requirements. The Order applies to for example downloads of applications for a tablet or a smartphone in which case a cookie is saved as well.
The information to be disclosed to the user is, inter alia, the purpose of saving or obtaining access to the information, information on who saves or obtains access to saved information and information on the possibility of refusing to give or withdrawing consent. Such information must always be available to the user on for example a website.
A few exemptions apply to the duty to provide information and obtain consent, including if saving is required in order to provide a service via a commercial website which has been expressly requested by the recipient. Consequently, exempt are cookies which are used for shopping baskets or web forms, but cookies the purpose of which is statistics or other analyses are not exempt.
The most difficult issue in connection with the implementation of the new requirements of the Order is how such requirement for consent must be complied with, including how such consent should be obtained.
According to the notes of guidance to the Order, consent may be obtained by for example ticking off a box or by "actively using a service where it must be expected that the user has been informed that information will be saved or access thereto will be given (if not refused)".
The fact that no position has been taken on the legal aspects purely relating to the processing of personal data in the present notes of guidance is inappropriate as the Executive Order on Cookies and the Danish Act on Processing of Personal Data overlap. The provisions of the Act on Processing of Personal Data may in certain cases imply a requirement of express consent when personal data is used for a third party's marketing purposes.
As for cross-border aspects, a principle of sender country applies to service providers within the EEA. If, however, the service provider is established in a country outside the EEA from which country the service provider markets itself to Denmark, the Danish rules (the principle of effect) apply.
It is important to keep in mind that the legislation governing the processing of personal data in other EEA countries may apply even though the service provider is established in Denmark. This will for example be the case if a data controller is established in another EEA country.